10/08/2010 @ 12:25PM

Celebrity Data Breaches

Just two years ago, the State Department was embarrassed by the disclosure that workers had inappropriately accessed passport information of then-presidential candidates Barack Obama, Hilary Clinton and John McCain. To assess the depth of the problem, the State Department’s inspector general looked at the passport records of 150 politicians, actors, musicians and athletes. The investigation found that the celebrities’ passport data had been looked at thousands of times, raising concern over the privacy of high-profile Americans, and everyone else whose passport information is ripe for peeking by irresponsible government employees. The database in question contains names, addresses, Social Security numbers, date and place of birth, and passport numbers–prime fodder for identity fraud.

In all too many cases, employees with legitimate access to sensitive information abuse that privilege, says Michael Spinney, an analyst at data security think tank Ponemon Institute. “The human factor is the weakest link in the security chain.”

A Social Security number alone allows for tremendous financial abuse. In 2008, Courtney Love said that a Kroll Associates investigation found that identity thieves had used her late husband Kurt Cobain’s Social Security number to get a loan to buy a house in New Jersey. By getting his hands on Will Smith’s real name– “Willard C. Smith”–a thief was able to rack up over $33,000 worth of credit card debt using the actor’s identity. In one of the biggest cases of celebrity identity theft, a New York restaurant busboy, Abraham Abdallah, was arrested in 2001 after he duped credit reporting agencies into sending him reports on tycoons like Warren Buffett, George Lucas, Oprah Winfrey, Ross Perot and Michael Bloomberg, helping him to gain access to their brokerage and credit card accounts. He chose his victims from Forbes’ list of the 400 wealthiest Americans.

Data breaches are a worry for all Americans, of course, not just celebrities. “Getting access to these subsets of information is increasingly easy, because it’s all online,” says Eduard Goodman, chief privacy officer at Identity Theft 911, which assists companies after they suffer a data breach.

The Open Security Foundation has charted a steady rise in the annual number of database breaches. In 2004, there were just 24 breaches on record, compared to 600 in 2009. A quarter of the 2009 breaches were the result of a malicious or criminal attack (as opposed to company negligence or a system glitch), according to the Ponemon Institute. The institute calculates that each individual record breached, on average, costs a company $204 to resolve, including the cost to notify those affected and provide credit monitoring services. The Identity Theft Resource Center counts 533 breaches so far in 2010, exposing over 13 million records.

The breaches that tend to generate the most buzz, though, are those that involve celebrities, as when President Barack Obama’s student loan records were inappropriately accessed by nine Department of Education contractors. Sentences, which are still being doled out, have ranged from a year of probation to a month of community service and a $25 fine.

Compared to other celebrity data breachers, that bunch is getting off easy. David Kernell, a college student who was found guilty of hacking into Sarah Palin’s
Yahoo
account, will be sentenced later this month and is likely facing over a year in prison. Kernell hacked in by guessing the answers to Palin’s password hint questions based on her high school and birth date–information many of us put on Facebook.

Paris Hilton’s T-Mobile phone was hacked in a similar way in 2005 when someone was able to provide her Chihuahua’s name to a “favorite pet” security question. Her address book went public and her celebrity friends were inundated with phone calls.

At Los Angeles’ Ronald Reagan UCLA Medical Center, investigations have turned up a series of medical data breaches involving celebrities over the past seven years. In 2008 Lawanda Jackson, an employee at UCLA Medical, pleaded guilty to selling records of celebrity patients including Britney Spears, Farah Fawcett and Gov. Arnold Schwarzenegger’s wife, Maria Shriver, to the National Enquirer. She died before she could be sentenced.

In reaction to the scandal, California passed some of the strictest laws in the country governing medical data privacy. Their first use: the case of “Octomom” Nadya Suleman. Some 24 hospital workers resigned or were fired and Kaiser Foundation Hospitals was hit with a whopping $437,500 in fines last year over snooping into her medical files.

The exposure of celebrities’ records illustrates just how vulnerable information in electronic databases can be, and how ineffective safeguards can be against rogue employees.